<!DOCTYPE html>
<html>

<head>
  <title>Quarkus - Using OpenID Connect to Protect Web Applications using Authorization Code Flow.</title>
  <script id="adobe_dtm" src="https://www.redhat.com/dtm.js" type="text/javascript"></script>
  <script src="/assets/javascript/highlight.pack.js" type="text/javascript"></script>
  <META HTTP-EQUIV='Content-Security-Policy' CONTENT="default-src 'none'; script-src 'self' 'unsafe-eval' 'sha256-ANpuoVzuSex6VhqpYgsG25OHWVA1I+F6aGU04LoI+5s=' 'sha256-ipy9P/3rZZW06mTLAR0EnXvxSNcnfSDPLDuh3kzbB1w=' js.bizographics.com https://www.redhat.com assets.adobedtm.com jsonip.com https://ajax.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://use.fontawesome.com; style-src 'self' https://fonts.googleapis.com https://use.fontawesome.com; img-src 'self' *; media-src 'self' ; frame-src https://www.googletagmanager.com https://www.youtube.com; frame-ancestors 'none'; base-uri 'none'; object-src 'none'; form-action 'none'; font-src 'self' https://use.fontawesome.com https://fonts.gstatic.com;">
  <META HTTP-EQUIV='X-Frame-Options' CONTENT="DENY">
  <META HTTP-EQUIV='X-XSS-Protection' CONTENT="1; mode=block">
  <META HTTP-EQUIV='X-Content-Type-Options' CONTENT="nosniff">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta name="description" content="Quarkus: Supersonic Subatomic Java">
  <meta name="twitter:card" content="summary_large_image">
  <meta name="twitter:site" content="@QuarkusIO"> 
  <meta name="twitter:creator" content="@QuarkusIO">
  <meta property="og:url" content="https://quarkus.io/guides/security-openid-connect-web-authentication" />
  <meta property="og:title" content="Quarkus - Using OpenID Connect to Protect Web Applications using Authorization Code Flow." />
  <meta property="og:description" content="Quarkus: Supersonic Subatomic Java" />
  <meta property="og:image" content="/assets/images/quarkus_card.png" />
  <link rel="canonical" href="https://quarkus.io/guides/security-openid-connect-web-authentication">
  <link rel="shortcut icon" type="image/png" href="/favicon.ico" >
  <link rel="stylesheet" href="https://quarkus.io/guides/stylesheet/config.css" />
  <link rel="stylesheet" href="/assets/css/main.css" />
  <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.1.0/css/all.css" integrity="sha384-lKuwvrZot6UHsBSfcMvOkWwlCMgc0TaWr+30HWe3a4ltaBwTZhyTEggF5tJv8tbt" crossorigin="anonymous">
  <link rel="alternate" type="application/rss+xml"  href="https://quarkus.io/feed.xml" title="Quarkus">
  <script src="https://quarkus.io/assets/javascript/goan.js" type="text/javascript"></script>
  <script src="https://quarkus.io/assets/javascript/hl.js" type="text/javascript"></script>
</head>

<body class="guides">
  <!-- Google Tag Manager (noscript) -->
  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-NJWS5L"
  height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
  <!-- End Google Tag Manager (noscript) -->

  <div class="nav-wrapper">
  <div class="grid-wrapper">
    <div class="width-12-12">
      <input type="checkbox" id="checkbox" />
      <nav id="main-nav" class="main-nav">
  <div class="container">
    <div class="logo-wrapper">
      
        <a href="/"><img src="/assets/images/quarkus_logo_horizontal_rgb_600px_reverse.png" class="project-logo" title="Quarkus"></a>
      
    </div>
    <label class="nav-toggle" for="checkbox">
      <i class="fa fa-bars"></i>
    </label>
    <div id="menu" class="menu">
      <span>
        <a href="/get-started/" class="">Get Started</a>
      </span>
      <span>
        <a href="/guides/" class="active">Guides</a>
      </span>
      <span>
        <a href="/community/" class="">Community</a>
      </span>
      <span>
        <a href="/support/" class="">Support</a>
      </span>
      <span>
        <a href="/blog/" class="">Blog</a>
      </span>
      <span>
        <a href="https://code.quarkus.io" class="button-cta secondary white">Start Coding</a>
      </span>
    </div>
  </div>
      </nav>
    </div>
  </div>
</div>

  <div class="content">
    <div class="guide">
  <div class="width-12-12">
    <h1 class="text-caps">Quarkus - Using OpenID Connect to Protect Web Applications using Authorization Code Flow.</h1>
    <div class="hide-mobile toc"><ul class="sectlevel1">
<li><a href="#prerequisites">Prerequisites</a></li>
<li><a href="#architecture">Architecture</a></li>
<li><a href="#solution">Solution</a></li>
<li><a href="#creating-the-maven-project">Creating the Maven Project</a></li>
<li><a href="#configuring-the-application">Configuring the application</a>
<ul class="sectlevel2">
<li><a href="#configuring-using-the-application-properties-file">Configuring using the application.properties file</a></li>
</ul>
</li>
<li><a href="#starting-and-configuring-the-keycloak-server">Starting and Configuring the Keycloak Server</a></li>
<li><a href="#running-and-using-the-application">Running and Using the Application</a>
<ul class="sectlevel2">
<li><a href="#running-in-developer-mode">Running in Developer Mode</a></li>
<li><a href="#running-in-jvm-mode">Running in JVM Mode</a></li>
<li><a href="#running-in-native-mode">Running in Native Mode</a></li>
</ul>
</li>
<li><a href="#testing-the-application">Testing the Application</a></li>
<li><a href="#redirection">Redirection</a></li>
<li><a href="#logout">Logout</a>
<ul class="sectlevel2">
<li><a href="#user-initiated-logout">User-Initiated Logout</a></li>
</ul>
</li>
<li><a href="#accessing-id-and-access-tokens">Accessing ID and Access Tokens</a></li>
<li><a href="#user-info">User Info</a></li>
<li><a href="#token-claims-and-securityidentity-roles">Token Claims And SecurityIdentity Roles</a></li>
<li><a href="#single-page-applications">Single Page Applications</a></li>
<li><a href="#configuration-reference">Configuration Reference</a></li>
<li><a href="#references">References</a></li>
</ul></div>
    <div>
      <div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>This guide demonstrates how to use Quarkus OpenID Connect Extension to protect your Quarkus HTTP endpoints using OpenId Connect Authorization Code Flow supported by OpenId Connect compliant Authorization Servers such as <a href="https://www.keycloak.org/about.html">Keycloak</a>.</p>
</div>
<div class="paragraph">
<p>The extension allows to easily authenticate the users of your web application by redirecting them to the OpenID Connect Provider (e.g.: Keycloak) to login and, once the authentication is complete, return them back with the code confirming the successful authentication. The extension will request ID and access tokens from the OpenID Connect Provider using an authorization code grant and verify these tokens in order to authorize an access to the application.</p>
</div>
<div class="paragraph">
<p>Please read the <a href="security-openid-connect">Using OpenID Connect to Protect Service Applications</a> guide if you need to protect your applications using Bearer Token Authorization.</p>
</div>
<div class="paragraph">
<p>Please read the <a href="security-openid-connect-multitenancy">Using OpenID Connect Multi-Tenancy</a> guide how to support multiple tenants.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="prerequisites"><a class="anchor" href="#prerequisites"></a>Prerequisites</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To complete this guide, you need:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>less than 15 minutes</p>
</li>
<li>
<p>an IDE</p>
</li>
<li>
<p>JDK 1.8+ installed with <code>JAVA_HOME</code> configured appropriately</p>
</li>
<li>
<p>Apache Maven 3.6.2+</p>
</li>
<li>
<p><a href="https://stedolan.github.io/jq/">jq tool</a></p>
</li>
<li>
<p>Docker</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="architecture"><a class="anchor" href="#architecture"></a>Architecture</h2>
<div class="sectionbody">
<div class="paragraph">
<p>In this example, we build a very simple web application with a single page:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>/index.html</code></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>This page is protected and can only be accessed by authenticated users.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="solution"><a class="anchor" href="#solution"></a>Solution</h2>
<div class="sectionbody">
<div class="paragraph">
<p>We recommend that you follow the instructions in the next sections and create the application step by step.
However, you can go right to the completed example.</p>
</div>
<div class="paragraph">
<p>Clone the Git repository: <code>git clone <a href="https://github.com/quarkusio/quarkus-quickstarts.git" class="bare">https://github.com/quarkusio/quarkus-quickstarts.git</a></code>, or download an <a href="https://github.com/quarkusio/quarkus-quickstarts/archive/master.zip">archive</a>.</p>
</div>
<div class="paragraph">
<p>The solution is located in the <code>security-openid-connect-web-authentication-quickstart</code> <a href="https://github.com/quarkusio/quarkus-quickstarts/tree/master/security-openid-connect-web-authentication-quickstart">directory</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="creating-the-maven-project"><a class="anchor" href="#creating-the-maven-project"></a>Creating the Maven Project</h2>
<div class="sectionbody">
<div class="paragraph">
<p>First, we need a new project. Create a new project with the following command:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-none hljs">mvn io.quarkus:quarkus-maven-plugin:1.7.0.Final:create \
    -DprojectGroupId=org.acme \
    -DprojectArtifactId=security-openid-connect-web-authentication-quickstart \
    -Dextensions="oidc"
cd security-openid-connect-web-authentication-quickstart</code></pre>
</div>
</div>
<div class="paragraph">
<p>If you already have your Quarkus project configured, you can add the <code>oidc</code> extension
to your project by running the following command in your project base directory:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./mvnw quarkus:add-extension -Dextensions="oidc"</code></pre>
</div>
</div>
<div class="paragraph">
<p>This will add the following to your <code>pom.xml</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="xml" class="language-xml hljs">&lt;dependency&gt;
    &lt;groupId&gt;io.quarkus&lt;/groupId&gt;
    &lt;artifactId&gt;quarkus-oidc&lt;/artifactId&gt;
&lt;/dependency&gt;</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configuring-the-application"><a class="anchor" href="#configuring-the-application"></a>Configuring the application</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The OpenID Connect extension allows you to define the configuration using the <code>application.properties</code> file which should be located at the <code>src/main/resources</code> directory.</p>
</div>
<div class="sect2">
<h3 id="configuring-using-the-application-properties-file"><a class="anchor" href="#configuring-using-the-application-properties-file"></a>Configuring using the application.properties file</h3>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="properties" class="language-properties hljs">quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated</code></pre>
</div>
</div>
<div class="paragraph">
<p>This is the simplest configuration you can have when enabling authentication to your application.</p>
</div>
<div class="paragraph">
<p>The <code>quarkus.oidc.client-id</code> property references the <code>client_id</code> issued by the OpenID Connect Provider and, in this case, the application is a public client (no client secret is defined).</p>
</div>
<div class="paragraph">
<p>The <code>quarkus.oidc.application-type</code> property is set to <code>web-app</code> in order to tell Quarkus that you want to enable the OpenID Connect Authorization Code Flow, so that your users are redirected to the OpenID Connect Provider to authenticate.</p>
</div>
<div class="paragraph">
<p>For last, the <code>quarkus.http.auth.permission.authenticated</code> permission is set to tell Quarkus about the paths you want to protect. In this case,
all paths are being protected by a policy that ensures that only <code>authenticated</code> users are allowed to access. For more details check <a href="security">Security Guide</a>.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="starting-and-configuring-the-keycloak-server"><a class="anchor" href="#starting-and-configuring-the-keycloak-server"></a>Starting and Configuring the Keycloak Server</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To start a Keycloak Server you can use Docker and just run the following command:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">docker run --name keycloak -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8180:8080 {keycloak-docker-image}</code></pre>
</div>
</div>
<div class="paragraph">
<p>You should be able to access your Keycloak Server at <a href="http://localhost:8180/auth">localhost:8180/auth</a>.</p>
</div>
<div class="paragraph">
<p>Log in as the <code>admin</code> user to access the Keycloak Administration Console. Username should be <code>admin</code> and password <code>admin</code>.</p>
</div>
<div class="paragraph">
<p>Import the <a href="https://github.com/quarkusio/quarkus-quickstarts/tree/master/security-openid-connect-web-authentication-quickstart/config/quarkus-realm.json">realm configuration file</a> to create a new realm. For more details, see the Keycloak documentation about how to <a href="https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm">create a new realm</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="running-and-using-the-application"><a class="anchor" href="#running-and-using-the-application"></a>Running and Using the Application</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="running-in-developer-mode"><a class="anchor" href="#running-in-developer-mode"></a>Running in Developer Mode</h3>
<div class="paragraph">
<p>To run the microservice in dev mode, use <code>./mvnw clean compile quarkus:dev</code>.</p>
</div>
</div>
<div class="sect2">
<h3 id="running-in-jvm-mode"><a class="anchor" href="#running-in-jvm-mode"></a>Running in JVM Mode</h3>
<div class="paragraph">
<p>When you&#8217;re done playing with "dev-mode" you can run it as a standard Java application.</p>
</div>
<div class="paragraph">
<p>First compile it:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./mvnw package</code></pre>
</div>
</div>
<div class="paragraph">
<p>Then run it:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">java -jar ./target/security-openid-connect-web-authentication-quickstart-runner.jar</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="running-in-native-mode"><a class="anchor" href="#running-in-native-mode"></a>Running in Native Mode</h3>
<div class="paragraph">
<p>This same demo can be compiled into native code: no modifications required.</p>
</div>
<div class="paragraph">
<p>This implies that you no longer need to install a JVM on your
production environment, as the runtime technology is included in
the produced binary, and optimized to run with minimal resource overhead.</p>
</div>
<div class="paragraph">
<p>Compilation will take a bit longer, so this step is disabled by default;
let&#8217;s build again by enabling the <code>native</code> profile:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./mvnw package -Pnative</code></pre>
</div>
</div>
<div class="paragraph">
<p>After getting a cup of coffee, you&#8217;ll be able to run this binary directly:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./target/security-openid-connect-web-authentication-quickstart-runner</code></pre>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="testing-the-application"><a class="anchor" href="#testing-the-application"></a>Testing the Application</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To test the application, you should open your browser and access the following URL:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="http://localhost:8080">http://localhost:8080</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>If everything is working as expected, you should be redirected to the Keycloak server to authenticate.</p>
</div>
<div class="paragraph">
<p>In order to authenticate to the application you should type the following credentials when at the Keycloak login page:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Username: <strong>alice</strong></p>
</li>
<li>
<p>Password: <strong>alice</strong></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>After clicking the <code>Login</code> button you should be redirected back to the application.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="redirection"><a class="anchor" href="#redirection"></a>Redirection</h2>
<div class="sectionbody">
<div class="paragraph">
<p>When the user is redirected to the OpenID Connect Provider to authenticate, the redirect URL includes a <code>redirect_uri</code> query parameter which indicates to the Provider where the user has to be redirected to once the authentication has been completed.</p>
</div>
<div class="paragraph">
<p>Quarkus will set this parameter to the current request URL by default. For example, if the user is trying to access a Quarkus service endpoint at <code><a href="http://localhost:8080/service/1" class="bare">http://localhost:8080/service/1</a></code> then the <code>redirect_uri</code> parameter will be set to <code><a href="http://localhost:8080/service/1" class="bare">http://localhost:8080/service/1</a></code>. Similarly, if the request URL is <code><a href="http://localhost:8080/service/2" class="bare">http://localhost:8080/service/2</a></code> then the <code>redirect_uri</code> parameter will be set to <code><a href="http://localhost:8080/service/2" class="bare">http://localhost:8080/service/2</a></code>, etc.</p>
</div>
<div class="paragraph">
<p>OpenID Connect Providers may be configured to require the <code>redirect_uri</code> parameter to have the same value (eg. <code><a href="http://localhost:8080/service/callback" class="bare">http://localhost:8080/service/callback</a></code>) for all the redirect URLs.
In such cases a <code>quarkus.oidc.authentication.redirect-path</code> property has to be set, for example, <code>quarkus.oidc.authentication.redirect-path=/service/callback</code>, and Quarkus will set the <code>redirect_uri</code> parameter to an absolute URL such as <code><a href="http://localhost:8080/service/callback" class="bare">http://localhost:8080/service/callback</a></code> which will be the same regardless of the current request URL.</p>
</div>
<div class="paragraph">
<p>If <code>quarkus.oidc.authentication.redirect-path</code> is set but the original request URL has to be restored after the user has been redirected back to a callback URL such as <code><a href="http://localhost:8080/service/callback" class="bare">http://localhost:8080/service/callback</a></code> then a <code>quarkus.oidc.authentication.restore-path-after-redirect</code> property has to be set to <code>true</code> which will restore the request URL such as <code><a href="http://localhost:8080/service/1" class="bare">http://localhost:8080/service/1</a></code>, etc.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="logout"><a class="anchor" href="#logout"></a>Logout</h2>
<div class="sectionbody">
<div class="paragraph">
<p>By default the logout is based on the expiration time of the ID Token issued by the OpenID Connect Provider. When the ID Token expires, the current user session at the Quarkus endpoint is invalidated and the user is redirected to the OpenID Connect Provider again to authenticate. If the session at the OpenID Connect Provider is still active, users are automatically re-authenticated without having to provide their credentials again.</p>
</div>
<div class="paragraph">
<p>The current user session may be automatically extended by enabling a <code>quarkus.oidc.token.refresh-expired</code> property. If it is set to <code>true</code> then when the current ID Token expires a Refresh Token Grant will be used to refresh ID Token as well as Access and Refresh Tokens.</p>
</div>
<div class="sect2">
<h3 id="user-initiated-logout"><a class="anchor" href="#user-initiated-logout"></a>User-Initiated Logout</h3>
<div class="paragraph">
<p>Users can request a logout by sending a request to the Quarkus endpoint logout path set with a <code>quarkus.oidc.logout.path</code> property.
For example, if the endpoint address is <code><a href="https://application.com/webapp" class="bare">https://application.com/webapp</a></code> and the <code>quarkus.oidc.logout.path</code> is set to "/logout" then the logout request has to be sent to <code><a href="https://application.com/webapp/logout" class="bare">https://application.com/webapp/logout</a></code>.</p>
</div>
<div class="paragraph">
<p>This logout request will start an <a href="https://openid.net/specs/openid-connect-session-1_0.html#RPLogout">RP-Initiated Logout</a> and the user will be redirected to the OpenID Connect Provider to logout where a user may be asked to confirm the logout is indeed intended.</p>
</div>
<div class="paragraph">
<p>The user will be returned to the endpoint post logout page once the logout has been completed if the <code>quarkus.oidc.logout.post-logout-path</code> property is set. For example, if the endpoint address is <code><a href="https://application.com/webapp" class="bare">https://application.com/webapp</a></code> and the <code>quarkus.oidc.logout.post-logout-path</code> is set to "/signin" then the user will be returned to <code><a href="https://application.com/webapp/signin" class="bare">https://application.com/webapp/signin</a></code> (note this URI must be registered as a valid <code>post_logout_redirect_uri</code> in the OpenID Connect Provider).</p>
</div>
<div class="paragraph">
<p>If the <code>quarkus.oidc.logout.post-logout-path</code> is set then a <code>q_post_logout</code> cookie will be created and a matching <code>state</code> query parameter will be added to the logout redirect URI and the OpenID Connect Provider will return this <code>state</code> once the logout has been completed. It is recommended for the Quarkus <code>web-app</code> applications to check that a <code>state</code> query parameter matches the value of the <code>q_post_logout</code> cookie which can be done for example in a JAX-RS filter.</p>
</div>
<div class="paragraph">
<p>Note that a cookie name will vary when using <a href="security-openid-connect-multitenancy">OpenID Connect Multi-Tenancy</a>. For example, it will be named <code>q_post_logout_tenant_1</code> for a tenant with a <code>tenant_1</code> id, etc.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="accessing-id-and-access-tokens"><a class="anchor" href="#accessing-id-and-access-tokens"></a>Accessing ID and Access Tokens</h2>
<div class="sectionbody">
<div class="paragraph">
<p>ID Token is always a JWT token. One can access ID Token claims by injecting <code>JsonWebToken</code> with an <code>IdToken</code> qualifier:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">import javax.inject.Inject;
import org.eclipse.microprofile.jwt.JsonWebToken;
import io.quarkus.oidc.IdToken;
import io.quarkus.security.Authenticated;

@Path("/web-app")
@Authenticated
public class ProtectedResource {

    @Inject
    @IdToken
    JsonWebToken idToken;

    @GET
    public String getUserName() {
        return idToken.getName();
    }
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>Access Token is usually used by the OIDC <code>web-app</code> application to access other endpoints on behalf of the currently logged in user. The raw access token can be accessed as follows:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">import javax.inject.Inject;
import org.eclipse.microprofile.jwt.JsonWebToken;
import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.security.Authenticated;

@Path("/web-app")
@Authenticated
public class ProtectedResource {

    @Inject
    JsonWebToken accessToken;

    // or
    // @Inject
    // AccessTokenCredential accessTokenCredential;

    @GET
    public String getReservationOnBehalfOfUser() {
        String rawAccessToken = accessToken.getRawToken();
        //or
        //String rawAccessToken = accessTokenCredential.getToken();

        // Use the raw access token to access a remote endpoint
        return getReservationfromRemoteEndpoint(rawAccesstoken);
    }
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>Note that <code>AccessTokenCredential</code> will have to be used if the Access Token issued to the Quarkus <code>web-app</code> application is opaque (binary) and can not be parsed to <code>JsonWebToken</code>.</p>
</div>
<div class="paragraph">
<p>Injection of the <code>JsonWebToken</code> and <code>AccessTokenCredential</code> is supported in both <code>@RequestScoped</code> and <code>@ApplicationScoped</code> contexts.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="user-info"><a class="anchor" href="#user-info"></a>User Info</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Set <code>quarkus.oidc.user-info-required=true</code> if a UserInfo JSON object from the OIDC userinfo endpoint has to be requested.
This will make an <code>io.quarkus.oidc.UserInfo</code> (which is a simple <code>javax.json.JsonObject</code> wrapper) object accessible as a SecurityIdentity <code>userinfo</code> attribute.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="token-claims-and-securityidentity-roles"><a class="anchor" href="#token-claims-and-securityidentity-roles"></a>Token Claims And SecurityIdentity Roles</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The way the roles are mapped to the SecurityIdentity roles from the verified tokens is identical to how it is done for the <a href="security-openid-connect#token-claims-and-securityidentity-roles">bearer tokens</a> with the only difference being is that <a href="https://openid.net/specs/openid-connect-core-1_0.html#IDToken">ID Token</a> is used as a source of the roles by default.</p>
</div>
<div class="paragraph">
<p>Note if you use Keycloak then you should set a Microprofile JWT client scope for ID token to contain a <code>groups</code> claim, please see the <a href="https://www.keycloak.org/docs/latest/server_admin/#protocol">Keycloak Server Administration Guide</a> for more information.</p>
</div>
<div class="paragraph">
<p>If only the access token contains the roles and this access token is not meant to be propagated to the downstream endpoints then set <code>quarkus.oidc.roles.source=accesstoken</code>.</p>
</div>
<div class="paragraph">
<p>If UserInfo is the source of the roles then set <code>quarkus.oidc.user-info-required=true</code> and <code>quarkus.oidc.roles.source=userinfo</code>, and if needed, <code>quarkus.oidc.roles.role-claim-path</code>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="single-page-applications"><a class="anchor" href="#single-page-applications"></a>Single Page Applications</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Please check if implementing SPAs the way it is suggested in the <a href="security-openid-connect#single-page-applications">Single Page Applications for Service Applications</a> section can meet your requirements.</p>
</div>
<div class="paragraph">
<p>If you do prefer to use SPA and <code>XMLHttpRequest</code>(XHR) with Quarkus <code>web-app</code> applications then please be aware that OpenId Connect Providers may not support CORS for Authorization endpoints where the users
 are authenticated after a redirect from Quarkus which will lead to the authentication failures if the Quarkus <code>web-app</code> application and OpenId Connect Provider are hosted on the different HTTP domains/ports.</p>
</div>
<div class="paragraph">
<p>In such cases one needs to set the <code>quarkus.oidc.authentication.xhr-auto-redirect</code> property to <code>false</code> which will instruct Quarkus to return a <code>499</code> status code and <code>WWW-Authenticate</code> header with the <code>OIDC</code> value and the browser script needs to be updated to set "X-Requested-With" header with the <code>XMLHttpRequest</code> value and reload the last requested page in case of <code>499</code>, for example:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="javascript" class="language-javascript hljs">Future&lt;void&gt; callQuarkusService() async {
    Map&lt;String, String&gt; headers = Map.fromEntries([MapEntry("X-Requested-With", "XMLHttpRequest")]);

    await http
        .get("https://localhost:443/serviceCall")
        .then((response) {
            if (response.statusCode == 499) {
                window.location.assign(https://localhost.com:443/serviceCall);
            }
         });
  }</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configuration-reference"><a class="anchor" href="#configuration-reference"></a>Configuration Reference</h2>
<div class="sectionbody">
<div class="paragraph configuration-legend">
<p><span class="icon"><i class="fa fa-lock" title="Fixed at build time"></i></span> Configuration property fixed at build time - All other configuration properties are overridable at runtime</p>
</div>
<table class="tableblock frame-all grid-all stretch configuration-reference searchable">
<colgroup>
<col style="width: 80%;">
<col style="width: 10%;">
<col style="width: 10%;">
</colgroup>
<tbody>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock"><a id="quarkus-oidc_configuration"></a><a href="#quarkus-oidc_configuration">Configuration property</a></p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Type</p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Default</p></th>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><span class="icon"><i class="fa fa-lock" title="Fixed at build time"></i></span> <a id="quarkus-oidc_quarkus.oidc.enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.enabled">quarkus.oidc.enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If the OIDC extension is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.tenant-id"></a><code><a href="#quarkus-oidc_quarkus.oidc.tenant-id">quarkus.oidc.tenant-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>A unique tenant identifier. It must be set by <code>TenantConfigResolver</code> providers which resolve the tenant configuration dynamically and is optional in all other cases.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.tenant-enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.tenant-enabled">quarkus.oidc.tenant-enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this tenant configuration is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.application-type"></a><code><a href="#quarkus-oidc_quarkus.oidc.application-type">quarkus.oidc.application-type</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The application type, which can be one of the following values from enum <code>ApplicationType</code>.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>web-app</code>, <code>service</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>service</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.auth-server-url"></a><code><a href="#quarkus-oidc_quarkus.oidc.auth-server-url">quarkus.oidc.auth-server-url</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The base URL of the OpenID Connect (OIDC) server, for example, 'https://host:port/auth'. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: 'https://host:port/auth/realms/{realm}' where '{realm}' has to be replaced by the name of the Keycloak realm.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.discovery-enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.discovery-enabled">quarkus.oidc.discovery-enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Enables OIDC discovery. If the discovery is disabled then the following properties must be configured: - 'authorization-path' and 'token-path' for the 'web-app' applications - 'jwks-path' or 'introspection-path' for both the 'web-app' and 'service' applications
 'web-app' applications may also have 'user-info-path' and 'end-session-path' properties configured.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authorization-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.authorization-path">quarkus.oidc.authorization-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC authorization endpoint which authenticates the users. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.token-path">quarkus.oidc.token-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC token endpoint which issues ID, access and refresh tokens. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.user-info-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.user-info-path">quarkus.oidc.user-info-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC userinfo endpoint. This property must only be set for the 'web-app' applications if OIDC discovery is disabled and 'authentication.user-info-required' property is enabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.introspection-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.introspection-path">quarkus.oidc.introspection-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JWT tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens have to be verified or 2) JWT tokens have to be verified while the cached JWK verification set with no matching JWK is being refreshed. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.jwks-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.jwks-path">quarkus.oidc.jwks-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC JWKS endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.end-session-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.end-session-path">quarkus.oidc.end-session-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the 'web-app' applications is required. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.connection-delay"></a><code><a href="#quarkus-oidc_quarkus.oidc.connection-delay">quarkus.oidc.connection-delay</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The maximum amount of time the adapter will try connecting to the currently unavailable OIDC server for. For example, setting it to '20S' will let the adapter keep requesting the connection for up to 20 seconds.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.public-key"></a><code><a href="#quarkus-oidc_quarkus.oidc.public-key">quarkus.oidc.public-key</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Public key for the local JWT token verification. OIDC server connection will not be created when this property is set.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.client-id"></a><code><a href="#quarkus-oidc_quarkus.oidc.client-id">quarkus.oidc.client-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The client-id of the application. Each application has a client-id that is used to identify the application</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.roles.role-claim-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.roles.role-claim-path">quarkus.oidc.roles.role-claim-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Path to the claim containing an array of groups. It starts from the top level JWT JSON object and can contain multiple segments where each segment represents a JSON object name only, example: "realm/groups". Use double quotes with the namespace qualified claim names. This property can be used if a token has no 'groups' claim but has the groups set in a different claim.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.roles.role-claim-separator"></a><code><a href="#quarkus-oidc_quarkus.oidc.roles.role-claim-separator">quarkus.oidc.roles.role-claim-separator</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Separator for splitting a string which may contain multiple group values. It will only be used if the "role-claim-path" property points to a custom claim whose value is a string. A single space will be used by default because the standard 'scope' claim may contain a space separated sequence.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.roles.source"></a><code><a href="#quarkus-oidc_quarkus.oidc.roles.source">quarkus.oidc.roles.source</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Source of the principal roles.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>idtoken</code>, <code>accesstoken</code>, <code>userinfo</code></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.issuer"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.issuer">quarkus.oidc.token.issuer</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected issuer 'iss' claim value.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.audience"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.audience">quarkus.oidc.token.audience</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected audience 'aud' claim value which may be a string or an array of strings.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">list of string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.token-type"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.token-type">quarkus.oidc.token.token-type</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected token type</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.lifespan-grace"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.lifespan-grace">quarkus.oidc.token.lifespan-grace</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.principal-claim"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.principal-claim">quarkus.oidc.token.principal-claim</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and <code>sub</code> claims are checked.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.refresh-expired"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.refresh-expired">quarkus.oidc.token.refresh-expired</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Refresh expired ID tokens. If this property is enabled then a refresh token request is performed and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated as an indication that the session at the OpenID Provider no longer exists. This option is only valid when the application is of type <code>ApplicationType#WEB_APP</code>}.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.forced-jwk-refresh-interval"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.forced-jwk-refresh-interval">quarkus.oidc.token.forced-jwk-refresh-interval</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Forced JWK set refresh interval in minutes.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>10M</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.secret"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.secret">quarkus.oidc.credentials.secret</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Client secret which is used for a 'client_secret_basic' authentication method. Note that a 'client-secret.value' can be used instead but both properties are mutually exclusive.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.client-secret.value"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.client-secret.value">quarkus.oidc.credentials.client-secret.value</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The client secret</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.client-secret.method"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.client-secret.method">quarkus.oidc.credentials.client-secret.method</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Authentication method.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>basic</code>, <code>post</code></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.jwt.secret"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.jwt.secret">quarkus.oidc.credentials.jwt.secret</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>client_secret_jwt: JWT which includes client id as one of its claims is signed by the client secret and is submitted as a 'client_assertion' form parameter, while 'client_assertion_type' parameter is set to "urn:ietf:params:oauth:client-assertion-type:jwt-bearer".</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.jwt.lifespan"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.jwt.lifespan">quarkus.oidc.credentials.jwt.lifespan</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>JWT life-span in seconds. It will be added to the time it was issued at to calculate the expiration time.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>10</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.proxy.host"></a><code><a href="#quarkus-oidc_quarkus.oidc.proxy.host">quarkus.oidc.proxy.host</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The host (name or IP address) of the Proxy.
 Note: If OIDC adapter needs to use a Proxy to talk with OIDC server (Provider), then at least the "host" config item must be configured to enable the usage of a Proxy.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.proxy.port"></a><code><a href="#quarkus-oidc_quarkus.oidc.proxy.port">quarkus.oidc.proxy.port</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The port number of the Proxy. Default value is 80.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>80</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.proxy.username"></a><code><a href="#quarkus-oidc_quarkus.oidc.proxy.username">quarkus.oidc.proxy.username</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The username, if Proxy needs authentication.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.proxy.password"></a><code><a href="#quarkus-oidc_quarkus.oidc.proxy.password">quarkus.oidc.proxy.password</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The password, if Proxy needs authentication.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.redirect-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.redirect-path">quarkus.oidc.authentication.redirect-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path for calculating a "redirect_uri" query parameter. It has to start from a forward slash and will be appended to the request URI&#8217;s host and port. For example, if the current request URI is 'https://localhost:8080/service' then a 'redirect_uri' parameter will be set to 'https://localhost:8080/' if this property is set to '/' and be the same as the request URI if this property has not been configured. Note the original request URI will be restored after the user has authenticated.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.restore-path-after-redirect"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.restore-path-after-redirect">quarkus.oidc.authentication.restore-path-after-redirect</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then the original request URI which was used before the authentication will be restored after the user has been redirected back to the application.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.remove-redirect-parameters"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.remove-redirect-parameters">quarkus.oidc.authentication.remove-redirect-parameters</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Remove the query parameters such as 'code' and 'state' set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.verify-access-token"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.verify-access-token">quarkus.oidc.authentication.verify-access-token</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Both ID and access tokens are verified as part of the authorization code flow and every time these tokens are retrieved from the user session. One should disable the access token verification if it is only meant to be propagated to the downstream services. Note the ID token will always be verified.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.force-redirect-https-scheme"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.force-redirect-https-scheme">quarkus.oidc.authentication.force-redirect-https-scheme</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Force 'https' as the 'redirect_uri' parameter scheme when running behind an SSL terminating reverse proxy. This property, if enabled, will also affect the logout <code>post_logout_redirect_uri</code> and the local redirect requests.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.scopes"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.scopes">quarkus.oidc.authentication.scopes</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>List of scopes</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">list of string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.cookie-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.cookie-path">quarkus.oidc.authentication.cookie-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Cookie path parameter value which, if set, will be used for the session and state cookies. It may need to be set when the redirect path has a root different to that of the original request URL.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.user-info-required"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.user-info-required">quarkus.oidc.authentication.user-info-required</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then an OIDC UserInfo endpoint will be called</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.xhr-auto-redirect"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.xhr-auto-redirect">quarkus.oidc.authentication.xhr-auto-redirect</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then a normal 302 redirect response will be returned if the request was initiated via XMLHttpRequest and the current user needs to be (re)authenticated which may not be desirable for Single Page Applications since XMLHttpRequest automatically following the redirect may not work given that OIDC authorization endpoints typically do not support CORS. If this property is set to <code>false</code> then a status code of '499' will be returned to allow the client to handle the redirect manually</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.tls.verification"></a><code><a href="#quarkus-oidc_quarkus.oidc.tls.verification">quarkus.oidc.tls.verification</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Certificate validation and hostname verification, which can be one of the following values from enum <code>Verification</code>. Default is required.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>required</code>, <code>none</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>required</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.logout.path"></a><code><a href="#quarkus-oidc_quarkus.oidc.logout.path">quarkus.oidc.logout.path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.logout.post-logout-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.logout.post-logout-path">quarkus.oidc.logout.post-logout-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.extra-params-extra-params"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.extra-params-extra-params">quarkus.oidc.authentication.extra-params</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Additional properties which will be added as the query parameters to the authentication redirect URI.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>Map&lt;String,String&gt;</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">required <span class="icon"><i class="fa fa-exclamation-circle" title="Configuration property is required"></i></span></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock"><a id="quarkus-oidc_quarkus.oidc.named-tenants"></a><a href="#quarkus-oidc_quarkus.oidc.named-tenants">Additional named tenants</a></p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Type</p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Default</p></th>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.tenant-id"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.tenant-id">quarkus.oidc."tenant".tenant-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>A unique tenant identifier. It must be set by <code>TenantConfigResolver</code> providers which resolve the tenant configuration dynamically and is optional in all other cases.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.tenant-enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.tenant-enabled">quarkus.oidc."tenant".tenant-enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this tenant configuration is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.application-type"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.application-type">quarkus.oidc."tenant".application-type</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The application type, which can be one of the following values from enum <code>ApplicationType</code>.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>web-app</code>, <code>service</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>service</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.auth-server-url"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.auth-server-url">quarkus.oidc."tenant".auth-server-url</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The base URL of the OpenID Connect (OIDC) server, for example, 'https://host:port/auth'. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: 'https://host:port/auth/realms/{realm}' where '{realm}' has to be replaced by the name of the Keycloak realm.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.discovery-enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.discovery-enabled">quarkus.oidc."tenant".discovery-enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Enables OIDC discovery. If the discovery is disabled then the following properties must be configured: - 'authorization-path' and 'token-path' for the 'web-app' applications - 'jwks-path' or 'introspection-path' for both the 'web-app' and 'service' applications
 'web-app' applications may also have 'user-info-path' and 'end-session-path' properties configured.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authorization-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authorization-path">quarkus.oidc."tenant".authorization-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC authorization endpoint which authenticates the users. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token-path">quarkus.oidc."tenant".token-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC token endpoint which issues ID, access and refresh tokens. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.user-info-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.user-info-path">quarkus.oidc."tenant".user-info-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC userinfo endpoint. This property must only be set for the 'web-app' applications if OIDC discovery is disabled and 'authentication.user-info-required' property is enabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.introspection-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.introspection-path">quarkus.oidc."tenant".introspection-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JWT tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens have to be verified or 2) JWT tokens have to be verified while the cached JWK verification set with no matching JWK is being refreshed. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.jwks-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.jwks-path">quarkus.oidc."tenant".jwks-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC JWKS endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.end-session-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.end-session-path">quarkus.oidc."tenant".end-session-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the 'web-app' applications is required. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.connection-delay"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.connection-delay">quarkus.oidc."tenant".connection-delay</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The maximum amount of time the adapter will try connecting to the currently unavailable OIDC server for. For example, setting it to '20S' will let the adapter keep requesting the connection for up to 20 seconds.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.public-key"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.public-key">quarkus.oidc."tenant".public-key</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Public key for the local JWT token verification. OIDC server connection will not be created when this property is set.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.client-id"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.client-id">quarkus.oidc."tenant".client-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The client-id of the application. Each application has a client-id that is used to identify the application</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.roles.role-claim-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.roles.role-claim-path">quarkus.oidc."tenant".roles.role-claim-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Path to the claim containing an array of groups. It starts from the top level JWT JSON object and can contain multiple segments where each segment represents a JSON object name only, example: "realm/groups". Use double quotes with the namespace qualified claim names. This property can be used if a token has no 'groups' claim but has the groups set in a different claim.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.roles.role-claim-separator"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.roles.role-claim-separator">quarkus.oidc."tenant".roles.role-claim-separator</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Separator for splitting a string which may contain multiple group values. It will only be used if the "role-claim-path" property points to a custom claim whose value is a string. A single space will be used by default because the standard 'scope' claim may contain a space separated sequence.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.roles.source"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.roles.source">quarkus.oidc."tenant".roles.source</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Source of the principal roles.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>idtoken</code>, <code>accesstoken</code>, <code>userinfo</code></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.issuer"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.issuer">quarkus.oidc."tenant".token.issuer</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected issuer 'iss' claim value.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.audience"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.audience">quarkus.oidc."tenant".token.audience</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected audience 'aud' claim value which may be a string or an array of strings.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">list of string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.token-type"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.token-type">quarkus.oidc."tenant".token.token-type</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected token type</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.lifespan-grace"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.lifespan-grace">quarkus.oidc."tenant".token.lifespan-grace</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.principal-claim"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.principal-claim">quarkus.oidc."tenant".token.principal-claim</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and <code>sub</code> claims are checked.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.refresh-expired"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.refresh-expired">quarkus.oidc."tenant".token.refresh-expired</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Refresh expired ID tokens. If this property is enabled then a refresh token request is performed and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated as an indication that the session at the OpenID Provider no longer exists. This option is only valid when the application is of type <code>ApplicationType#WEB_APP</code>}.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.forced-jwk-refresh-interval"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.forced-jwk-refresh-interval">quarkus.oidc."tenant".token.forced-jwk-refresh-interval</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Forced JWK set refresh interval in minutes.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>10M</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.secret"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.secret">quarkus.oidc."tenant".credentials.secret</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Client secret which is used for a 'client_secret_basic' authentication method. Note that a 'client-secret.value' can be used instead but both properties are mutually exclusive.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.client-secret.value"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.client-secret.value">quarkus.oidc."tenant".credentials.client-secret.value</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The client secret</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.client-secret.method"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.client-secret.method">quarkus.oidc."tenant".credentials.client-secret.method</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Authentication method.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>basic</code>, <code>post</code></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.jwt.secret"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.jwt.secret">quarkus.oidc."tenant".credentials.jwt.secret</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>client_secret_jwt: JWT which includes client id as one of its claims is signed by the client secret and is submitted as a 'client_assertion' form parameter, while 'client_assertion_type' parameter is set to "urn:ietf:params:oauth:client-assertion-type:jwt-bearer".</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.jwt.lifespan"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.jwt.lifespan">quarkus.oidc."tenant".credentials.jwt.lifespan</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>JWT life-span in seconds. It will be added to the time it was issued at to calculate the expiration time.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>10</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.proxy.host"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.proxy.host">quarkus.oidc."tenant".proxy.host</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The host (name or IP address) of the Proxy.
 Note: If OIDC adapter needs to use a Proxy to talk with OIDC server (Provider), then at least the "host" config item must be configured to enable the usage of a Proxy.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.proxy.port"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.proxy.port">quarkus.oidc."tenant".proxy.port</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The port number of the Proxy. Default value is 80.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>80</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.proxy.username"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.proxy.username">quarkus.oidc."tenant".proxy.username</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The username, if Proxy needs authentication.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.proxy.password"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.proxy.password">quarkus.oidc."tenant".proxy.password</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The password, if Proxy needs authentication.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.redirect-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.redirect-path">quarkus.oidc."tenant".authentication.redirect-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path for calculating a "redirect_uri" query parameter. It has to start from a forward slash and will be appended to the request URI&#8217;s host and port. For example, if the current request URI is 'https://localhost:8080/service' then a 'redirect_uri' parameter will be set to 'https://localhost:8080/' if this property is set to '/' and be the same as the request URI if this property has not been configured. Note the original request URI will be restored after the user has authenticated.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.restore-path-after-redirect"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.restore-path-after-redirect">quarkus.oidc."tenant".authentication.restore-path-after-redirect</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then the original request URI which was used before the authentication will be restored after the user has been redirected back to the application.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.remove-redirect-parameters"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.remove-redirect-parameters">quarkus.oidc."tenant".authentication.remove-redirect-parameters</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Remove the query parameters such as 'code' and 'state' set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.verify-access-token"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.verify-access-token">quarkus.oidc."tenant".authentication.verify-access-token</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Both ID and access tokens are verified as part of the authorization code flow and every time these tokens are retrieved from the user session. One should disable the access token verification if it is only meant to be propagated to the downstream services. Note the ID token will always be verified.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.force-redirect-https-scheme"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.force-redirect-https-scheme">quarkus.oidc."tenant".authentication.force-redirect-https-scheme</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Force 'https' as the 'redirect_uri' parameter scheme when running behind an SSL terminating reverse proxy. This property, if enabled, will also affect the logout <code>post_logout_redirect_uri</code> and the local redirect requests.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.scopes"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.scopes">quarkus.oidc."tenant".authentication.scopes</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>List of scopes</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">list of string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.extra-params-extra-params"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.extra-params-extra-params">quarkus.oidc."tenant".authentication.extra-params</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Additional properties which will be added as the query parameters to the authentication redirect URI.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>Map&lt;String,String&gt;</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">required <span class="icon"><i class="fa fa-exclamation-circle" title="Configuration property is required"></i></span></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.cookie-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.cookie-path">quarkus.oidc."tenant".authentication.cookie-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Cookie path parameter value which, if set, will be used for the session and state cookies. It may need to be set when the redirect path has a root different to that of the original request URL.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.user-info-required"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.user-info-required">quarkus.oidc."tenant".authentication.user-info-required</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then an OIDC UserInfo endpoint will be called</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.xhr-auto-redirect"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.xhr-auto-redirect">quarkus.oidc."tenant".authentication.xhr-auto-redirect</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then a normal 302 redirect response will be returned if the request was initiated via XMLHttpRequest and the current user needs to be (re)authenticated which may not be desirable for Single Page Applications since XMLHttpRequest automatically following the redirect may not work given that OIDC authorization endpoints typically do not support CORS. If this property is set to <code>false</code> then a status code of '499' will be returned to allow the client to handle the redirect manually</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.tls.verification"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.tls.verification">quarkus.oidc."tenant".tls.verification</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Certificate validation and hostname verification, which can be one of the following values from enum <code>Verification</code>. Default is required.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>required</code>, <code>none</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>required</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.logout.path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.logout.path">quarkus.oidc."tenant".logout.path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.logout.post-logout-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.logout.post-logout-path">quarkus.oidc."tenant".logout.post-logout-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
</tbody>
</table>
<div id="duration-note-anchor" class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="title">About the Duration format</div>
<div class="paragraph">
<p>The format for durations uses the standard <code>java.time.Duration</code> format.
You can learn more about it in the <a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html#parse-java.lang.CharSequence-">Duration#parse() javadoc</a>.</p>
</div>
<div class="paragraph">
<p>You can also provide duration values starting with a number.
In this case, if the value consists only of a number, the converter treats the value as seconds.
Otherwise, <code>PT</code> is implicitly prepended to the value to obtain a standard <code>java.time.Duration</code> format.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="references"><a class="anchor" href="#references"></a>References</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://www.keycloak.org/documentation.html">Keycloak Documentation</a></p>
</li>
<li>
<p><a href="https://openid.net/connect/">OpenID Connect</a></p>
</li>
<li>
<p><a href="https://tools.ietf.org/html/rfc7519">JSON Web Token</a></p>
</li>
</ul>
</div>
</div>
</div>
    </div>
  </div>
</div>

  </div>

  <div class="content project-footer">
  <div class="footer-section">
    <div class="logo-wrapper">
      <a href="/"><img src="/assets/images/quarkus_logo_horizontal_rgb_reverse.svg" class="project-logo" title="Quarkus"></a>
    </div>
  </div>
  <div class="grid-wrapper">
    <p class="grid__item width-3-12">Quarkus is open. All dependencies of this project are available under the <a href='https://www.apache.org/licenses/LICENSE-2.0' target='_blank'>Apache Software License 2.0</a> or compatible license.<br /><br />This website was built with <a href='https://jekyllrb.com/' target='_blank'>Jekyll</a>, is hosted on <a href='https://pages.github.com/' target='_blank'>Github Pages</a> and is completely open source. If you want to make it better, <a href='https://github.com/quarkusio/quarkusio.github.io' target='_blank'>fork the website</a> and show us what you’ve got.</p>

    
      <div class="width-1-12 project-links">
        <span>Navigation</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="/">Home</a></li>
          
            <li><a href="/guides">Guides</a></li>
          
            <li><a href="/community/#contributing">Contribute</a></li>
          
            <li><a href="/faq">FAQ</a></li>
          
            <li><a href="/get-started">Get Started</a></li>
          
        </ul>
      </div>
    
      <div class="width-1-12 project-links">
        <span>Contribute</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="https://twitter.com/quarkusio">Follow us</a></li>
          
            <li><a href="https://github.com/quarkusio">GitHub</a></li>
          
            <li><a href="/security">Security&nbsp;policy</a></li>
          
        </ul>
      </div>
    
      <div class="width-1-12 project-links">
        <span>Get Help</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="https://groups.google.com/forum/#!forum/quarkus-dev">Forums</a></li>
          
            <li><a href="https://quarkusio.zulipchat.com">Chatroom</a></li>
          
        </ul>
      </div>
    

    
      <div class="width-3-12 more-links">
        <span>Quarkus is made of community projects</span>
        <ul class="footer-links">
          
            <li><a href="https://vertx.io/" target="_blank">Eclipse Vert.x</a></li>
          
            <li><a href="https://microprofile.io" target="_blank">Eclipse MicroProfile</a></li>
          
            <li><a href="https://hibernate.org" target="_blank">Hibernate</a></li>
          
            <li><a href="https://netty.io" target="_blank">Netty</a></li>
          
            <li><a href="https://resteasy.github.io" target="_blank">RESTEasy</a></li>
          
            <li><a href="https://camel.apache.org" target="_blank">Apache Camel</a></li>
          
            <li><a href="https://code.quarkus.io/" target="_blank">And many more...</a></li>
          
        </ul>
      </div>
    
  </div>
</div>
  <div class="content redhat-footer">
  <div class="grid-wrapper">
    <span class="licence">
      <i class="fab fa-creative-commons"></i><i class="fab fa-creative-commons-by"></i> <a href="https://creativecommons.org/licenses/by/3.0/" target="_blank">CC by 3.0</a> | <a href="https://www.redhat.com/en/about/privacy-policy">Privacy Policy</a>
    </span>
    <span class="redhat">
      Sponsored by
    </span>
    <span class="redhat-logo">
      <a href="https://www.redhat.com/" target="_blank"><img src="/assets/images/redhat_reversed.svg"></a>
    </span>
  </div>
</div>


  <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js" integrity="sha384-8gBf6Y4YYq7Jx97PIqmTwLPin4hxIzQw5aDmUg/DDhul9fFpbbLcLh3nTIIDJKhx" crossorigin="anonymous"></script>
  <script type="text/javascript" src="/assets/javascript/mobile-nav.js"></script>
  <script type="text/javascript" src="/assets/javascript/scroll-down.js"></script>
  <script src="/assets/javascript/satellite.js" type="text/javascript"></script>
  <script src="https://quarkus.io/guides/javascript/config.js" type="text/javascript"></script>
  <script src="/assets/javascript/search-filter.js" type="text/javascript"></script>
  <script src="/assets/javascript/back-to-top.js" type="text/javascript"></script>
</body>

</html>
